Description of problem: Formencode 1.0 breaks chained validators which do not use partial validation. This is an known bug for upstream and was fixed in 1.0.1 (http://www.formencode.org/news.html). Please update python-formencode to 1.0.1 as this will break many applications which do use chained validators. This may even be a security problem for Fedora users because the chained validators are never called!
python-formencode-1.0.1-1.fc9 has been submitted as an update for Fedora 9
New package built for F-9 and RawHide. Security team will approve and then it will be pushed to stable. If necessary, people can retrieve the package from the "Build link" on this page before the package goes out:: https://admin.fedoraproject.org/updates/F9/pending/python-formencode-1.0.1-1.fc9
Brief description of the problem for the security response team: The formencode package allows people to write validators[1]_. Among other places that these are used is within the TurboGears web framework. Thus, this bug will affect any TurboGeats applications shipped by Fedora or built on top of the formencode-1.0 packages shipped with F-9/ In the TurboGears context, validators are used to check that input from a user is in a form that the application expects. This can consist of transformations (from a string into an integer, for instance) and checks (making sure that input is a valid email address, that it only contains alpha numberic ASCii characters, or that the input specifies a valid value within a database, for instance.) This particular bug affected a class of validators known as chained validators. These validators run after the other validators and are capable of checking that multiple values meet a validity check as opposed to only a single value. As an example, let's say the user is providing a timestamp, key and log message to a method add_new_log(). A chained validator might check that the combination of key and timestamp was not already recorded to avoid overwriting and losing existing logs. With the bug in formencode-1.0, the chained validator that checked for this case would silently fail to run which means that overwriting of data might be possible. _[1]: http://formencode.org/Validator.html
Another scenario. I've written a cgi script that reads certain files from my home directory and displays them on a web page. Because I'm not a very good programmer my script takes a directory relative to my home directory and a filename of information from the user and displays what's in there if the first line of the file is "PUBLIC". The script has two sets of validators: The first set checks that the directory will fall within my home directory and that the filename doesn't contain any special characters like path separators. The second set is two chained validators that makes sure that "PUBLIC" is the first line of the file and that the actual file is not a sym link to somewere else. Because of this bug, not only is any file in the home directory exposed but, if I have a sym link to a directory somewhere else in the filessytem, any file in that directory is exposed as well.
python-formencode-1.0.1-1.fc9 has been pushed to the Fedora 9 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update python-formencode'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-6312
python-formencode-1.0.1-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.